Privacy Policy

This Privacy Policy applies to personal information we process as a controller (information about you as a visitor or customer) and describes our role as a processor of Customer Data you submit through the Service (for example, your chart of accounts).

The Service is offered from the United States and is intended for business users in the United States. We do not target the Service to individuals in the European Economic Area, United Kingdom, or Switzerland; however, we have written this policy to be compatible with the GDPR, UK GDPR, and California privacy laws where they apply.

Data controller / business: Aero CFO, LLC, Aero CFO, LLC — Attn: Legal, Florida, USA.

We collect the following categories of information.

(a) Account & profile data

• Name, work email, password hash, role
• Company name, industry, country, billing address
• Authentication identifiers from Supabase Auth

(b) Customer Data (financial data you submit)

• Chart of accounts (account names, types, sub-types, balances, hierarchy) imported from QuickBooks Online, uploaded as CSV/Excel, or entered manually
• Industry templates you generate from your data and saved optimization results

We do not collect transactional ledger entries, customer or vendor lists, banking credentials, payroll records, tax filings, or any data outside of the QuickBooks Onlinecom.intuit.quickbooks.accountingAccounts scope.

(c) Billing data

• Stripe customer ID, subscription ID, plan, status, last-four digits of payment card, billing address, invoices, credit ledger
• We do not see or store full payment card numbers — Stripe handles all card data as a PCI Level 1 processor.

(d) Usage & device data

• IP address, browser, operating system, device type
• Pages visited, features used, AI prompts you invoke, timing and outcome of analyses and optimizations
• Diagnostic logs and error reports

(e) Communications

• Support tickets, email correspondence, feedback you submit

(f) Cookies & similar technologies

See our Cookie Policy for the full list of cookies, their purpose, and how to control them.

We use information to:

• Provide, operate, secure, and improve the Service, including running AI analysis and optimization on your chart of accounts
• Authenticate you, prevent fraud, and enforce our Acceptable Use Policy
• Process payments and manage subscriptions and credits
• Send transactional messages (receipts, security alerts, product changes that affect you)
• Provide customer support and respond to your requests
• Analyze aggregate, de-identified usage trends to improve the Service
• Comply with legal obligations, respond to lawful requests, and protect our rights and the rights of others

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use your Customer Data to train AI models.

If GDPR or UK GDPR applies to you, we rely on these legal bases:

• Contract — to provide the Service you have signed up for.
• Legitimate interests — to secure the Service, prevent abuse, and improve our product (balanced against your rights).
• Consent — for non-essential cookies and marketing emails, where required. You may withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, anti-fraud, and other legal requirements.

We share information only with the following categories of recipients:

• Subprocessors — vendors who process data on our behalf under written contracts (Stripe, Supabase, Vercel, Anthropic, Intuit, and others). See our Subprocessor List for the current roster.
• Your authorized integrations — when you connect QuickBooks Online, we exchange data with Intuit as directed by you.
• Professional advisors — accountants, auditors, and lawyers under confidentiality.
• Legal & safety — to comply with law, respond to lawful requests, enforce our Terms, or protect rights, property, or safety.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Privacy Policy or written notice to you.

We do not disclose Customer Data to government authorities except where legally required and only to the minimum extent necessary.

The Service uses Anthropic’s API to analyze your chart of accounts and produce suggestions. When you initiate an AI workflow:

• We send only the minimum chart-of-accounts fields required for the workflow.
• We use Anthropic’s commercial API. Under Anthropic’s Commercial Terms, your data is not used to train Anthropic’s models and is not retained beyond the period required to operate the API.
• We do not use your Customer Data to train our own models. If we ever introduce optional training, it will require your separate, affirmative opt-in.
• We may fall back to OpenAI as a secondary inference provider for certain experimental Labs features. OpenAI is listed in our Subprocessor List and operates under terms that prohibit training on API inputs by default.
• AI outputs are proposals only and must be reviewed by a qualified accounting professional before applying any change to your live books. See Section 3 of the Terms of Service.

If you connect QuickBooks Online, we use the Intuit OAuth 2.0 flow and request only thecom.intuit.quickbooks.accountingscope, limited to read-only access to your chart of accounts. Specifically:

• We read account names, types, sub-types, classifications, and balances.
• We never write to, modify, or delete data in your QuickBooks Online company.
• You may revoke our access at any time from within the Service or directly in your Intuit account settings.
• When you disconnect, we delete the stored OAuth refresh and access tokens immediately.

We are not affiliated with, endorsed by, or partnered with Intuit Inc.

We retain information only as long as we need it.

• Account & profile data — for the life of your account. When you delete your account, identifying fields (name, email) are anonymized immediately; the underlying record is retained only as needed to honor the billing retention period below.
• Customer Data — for the life of your account. You may delete charts at any time; deleted charts are removed from active systems immediately and are purged from encrypted backups within 90 days as backup rotation completes.
• Billing records — retained for 7 years to comply with US tax and accounting recordkeeping requirements.
• Logs & diagnostic data — up to 90 days, except entries flagged for security investigations.
• AI prompts & outputs — stored with your chart for your reference, deleted when you delete the chart.
• Credit balances — wallet credits do not expire during an active subscription. If your account is inactive for 24 consecutive months, remaining credits are forfeited and the account may be closed after 30 days’ notice. See the Refund Policy.

When required by law, we may retain information longer (e.g., for tax, audit, or litigation hold purposes).

We use administrative, technical, and physical safeguards designed to protect personal information and Customer Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control and least-privilege provisioning
• Audit logging of administrative actions
• Hosted infrastructure with SOC 2 Type II certified providers (Vercel, Supabase, Stripe, Anthropic, Intuit)
• Routine vulnerability scanning, dependency monitoring, and code review

We aim to be SOC 2-aligned and intend to pursue formal SOC 2 certification. No system is perfectly secure; if we become aware of a security incident affecting your information, we will notify you and any regulators in accordance with applicable law.

All Service infrastructure is located in the United States. Information you submit will be processed in the US. If you access the Service from outside the US, you understand that your data will be transferred to and processed in the US.

Where required, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and other approved transfer mechanisms with our subprocessors. A copy of the SCCs is available on request via legal@chartofaccounts.ai.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete personal information (“right to be forgotten”)
• Restrict or object to certain processing
• Port your data in a machine-readable format
• Withdraw consent where processing is based on consent
• Lodge a complaint with your supervisory authority (e.g., your EU/UK data protection authority or your state Attorney General)

To exercise these rights, email legal@chartofaccounts.ai. We respond within 30 days (45 for CCPA, extendable once where permitted). We may need to verify your identity before fulfilling your request. We will not discriminate against you for exercising your rights.

California (CCPA/CPRA). In the prior 12 months, we have collected the categories of personal information described in Section 2 (identifiers, commercial information, internet activity, professional/employment information, inferences) for the business purposes described in Section 3, and shared them with the categories of recipients in Section 5. We have not sold personal information and have not shared personal information for cross-context behavioral advertising. We do not knowingly collect personal information from minors under 16.

California residents may request access, deletion, and correction by emailing legal@chartofaccounts.ai. You may designate an authorized agent to make a request on your behalf. We do not charge a fee.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states. Residents have analogous rights under their state privacy laws. We honor those rights using the same process described above.

“Shine the Light” (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for their direct-marketing purposes.

The Service is intended for business use by adults 18 years or older. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact legal@chartofaccounts.ai and we will delete it.

We do not respond to Do Not Track browser signals because no consistent industry standard exists. We do honor Global Privacy Control (GPC) signals as a valid opt-out of any “sale” or “sharing” of personal information for residents of jurisdictions where GPC is recognized as a legal request.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notice at least 30 days before the change takes effect, except where a shorter period is required by law. The “Effective” date at the top of this page indicates when this version became effective.

For privacy questions or to exercise your rights, contact:

Aero CFO, LLC
Aero CFO, LLC — Attn: Legal, Florida, USA
Privacy: legal@chartofaccounts.ai
Support: support@chartofaccounts.ai

See also: Terms of Service, Refund Policy, Subprocessor List, Cookie Policy, Data Processing Addendum, and Acceptable Use Policy.